CCTV Policy

A) INTRODUCTION Closed Circuit Television (CCTV) is used by Moylurg Rockingham DAC (MRD) for a number of purposes. This use may involve the recording of personal data of individuals including their recognisable images. MRD is obliged to protect such data in accordance with provisions contained in the General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 and the Data Protection Act 2018.

B) PURPOSE OF POLICYMRD has developed a number of general policies and procedures to protect personal data. Provisions contained in these documents apply to the operation by MRD of CCTV systems. The purpose of this policy is to support these documents by outlining specific provisions to assist MRD to fulfil its data protection obligations regarding the operation of CCTV systems including, but not limited to, arrangements relating to the location, control and security of CCTV systems, recording by CCTV systems and access to their recordings.

C) DEFINITIONSFor the purposes of this policy document the following definitions apply:MRD: The company Moylurg Rockingham DAC Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.Data Subject: is an individual who is the subject of personal data.Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of Moylurg Rockingham DAC.

2) Data obtained through the use of CCTV systems shall be limited and proportionate to the purposes for which it was obtained.3) CCTV will not be used by MRD for any other purposes other than those outlined in this policy document.4) CCTV Locations CCTV will be deployed, as appropriate, either permanently or from time to time, at various locations within the functional area of Lough Key Forest and Activity Park or for any of the purposes outlined in this policy document. These locations may include the following:

a) Visitor centre premises and property.

b) Activities and Attractions

c) Properties containing MRD’s plant, machinery and equipment

d) Public areas.

e) CCTV will not be deployed where persons have a reasonable expectation of privacy.

f) Cameras shall be positioned in such a way as to prevent or minimise recordings of persons or property other than those that are intended to be covered by the CCTV system.

F) CCTV SIGNAGE1) Overt CCTV surveillance requires signage, that is clearly visible and legible, to be placed so that persons are aware that they are entering an area that is covered by a CCTV system.2) If the identity of the Data Controller (i.e. MRD) and the usual purpose for processing (i.e. security) is obvious the following is all that is required to be placed on the signage:

a) Notice that CCTV is in operation.

b) Details of who to contact regarding the CCTV system.

G) COVERT CCTV SURVEILLANCE1) The use of CCTV to obtain data without an individual’s knowledge is generally unlawful.2) Covert CCTV surveillance is normally only permitted on a case by case basis where the data is necessary for the purposes of preventing, detecting or investigating offences or apprehending or prosecuting offenders.3) The use of covert CCTV surveillance will normally require the involvement of a law enforcement authority.4) Covert CCTV surveillance must be focussed and of short duration.5) Only specific and relevant individuals/locations should be recorded.6) If no evidence is obtained that is relevant to the purpose of the covert CCTV surveillance within a reasonable period, the CCTV surveillance should cease.7) If the CCTV surveillance is intended to prevent crime, overt CCTV surveillance may be considered to be a more appropriate measure and less invasive of individual privacy.

2) CCTV service providers must be licensed with the Private Security Authority (PSA) which is the statutory body with responsibility for licensing and regulating the private security industry in Ireland.3) CCTV service providers are considered to be Processors and as such they are required to enter into a formal Data Processing Agreement with MRD to ensure that they, in addition to MRD, discharge their obligations under data protection legislation.4) The management of the CCTV system shall take responsibility for the operation of the CCTV. This responsibility will include ensuring that the CCTV system is being operated in a manner that is consistent with this policy and data protection legislation.5) Only persons authorised by management may have access to the CCTV system.6) Management and other persons authorised by management to access the system will be appropriately trained.

I) RETENTION OF CCTV RECORDINGS1) Data recorded on CCTV systems shall be kept for no longer than is considered necessary.2) Normally data recorded on CCTV systems will not be retained by MRD beyond a maximum of 28 days.3) Data recorded on CCTV systems may however be retained by MRD beyond a maximum of 28 days in circumstances where the data is required for evidential purposes and/or legal proceedings.

J) SECURITY ARRANGEMENTS FOR CCTV1) Access to each CCTV and its recordings shall be restricted to management and other persons that have authorised access to the system.2) The storage medium used by the CCTV system should be kept in a secure location.

K) CCTV REGISTERA CCTV Register shall be maintained by MRD’s Corporate Services Department. This register shall contain, at a minimum, the following information:

a) Location of each CCTV system.

b) Purpose of each CCTV system.

c) CCTV service provider details.

d) Type of signage at each CCTV location.

e) Location of signage at each CCTV location.

f) Details of personnel having authorised access to each CCTV system.

g) Retention period for CCTV recordings.

L) ACCESS TO CCTV RECORDINGSAccess to CCTV recordings may be provided to the following:

a) Data Subjects

b) An Garda Síochána

c) Other Third Parties

1) Access by Data Subjects

a) Data protection legislation provides data subjects with a right to access their personal data. This includes their recognisable images and other personal data captured by CCTV recordings. Access requests are required to be submitted in writing in physical or electronic format e.g. by letter or e-mail and will be processed in accordance with provisions contained in MRD’s Subject Access Request Policy and Procedures. A copy of this document may be accessed via the GDPR files.

b) Where it is deemed necessary or appropriate MRD may request the provision of additional information to confirm the identity of person submitting a data subject access request.

c) It would not suffice for a data subject to make a general access request for a copy of CCTV recordings. Instead, it will be necessary that data subjects specify that they are seeking to access a copy of CCTV recordings that have captured their recognisable images and/or other personal data between specified dates, at certain times and at a named location.

d) The provision of access to a data subject to CCTV recordings of his/her recognisable images and/or other personal data will normally involve providing a copy of the recording in video format. In circumstances where the recording is technically incapable of being copied, or in other exceptional circumstances, stills may be provided as alternative to video footage. Where stills are provided MRD will aim to supply a still for every second of the recording in which the data subject’s recognisable images and/or other personal data appears.

e) Where recognisable images and/or other personal data of other parties other than the data subject appears on the CCTV recordings these will be pixelated or otherwise redacted on any copies or stills provided to the data subject. Alternatively, unedited copies of the CCTV recordings may be released provided consent is obtained from those other parties whose recognisable images and/or other personal data appear on the CCTV recordings.

f) If the CCTV recording is of such poor quality as to not clearly identify recognisable images and/or other personal data relating to the data subject then the recording will not be considered as personal data and may not be released by MRD.

g) If the CCTV recording no longer exists on the date that MRD receives an access request it will not be possible to provide access to a data subject. CCTV recordings are usually deleted in accordance with provisions contained in this policy.

2) Access by An Garda Síochána

a) There is a distinction between a request by An Garda Síochána to view CCTV recordings and to obtain copies of such recordings. In general, a request made by An Garda Síochána to simply view CCTV recordings should be accommodated as it does not raise any concerns from a data protection perspective.

b) Requests from An Garda Síochána for copies of CCTV recordings are required to be submitted in writing on An Garda Síochána headed paper and signed by an appropriate ranking member of An Garda Síochána. The request should specify the details of the CCTV recordings required and cite the legal basis for the request being made.

c) In order to expedite a request in urgent situations, a verbal request from An Garda Síochána for copies of CCTV recordings will suffice. However, such a verbal request must be followed up with a formal written request from An Garda Síochána.

3) Access by Other Third PartiesAccess by third parties such as public bodies, private organisations and individuals other than the data subject to CCTV recordings will only be provided in circumstances that are permitted by data protection legislation.

M) ACCESS LOG1) An Access Log shall be maintained by management for each CCTV system.2) This log shall maintain a record of all requests made by the following to view/obtain copies of CCTV recordings and the outcome of such requests:

a) Data Subjects,

b) An Garda Síochána and

c) Other Third Parties

N) PRIVACY STATEMENTSDetails of personal data being recorded by CCTV systems that are used by MRD and information regarding the use of such data including any sharing of such data with third parties are outlined in Privacy Statements.

O) DATA PROTECTION IMPACT ASSESSMENTA Data Protection Impact Assessment shall be carried out, in accordance with data protection legislative requirements, before any installation of a new CCTV system or upgrade to an existing CCTV system if in the opinion of MRD, the installation or upgrade is likely to result in a high risk to the rights and freedoms of individuals.

P) GUIDELINES/CODES OF PRACTICEMRD shall adhere to all relevant CCTV Guidelines/Codes of Practice issued by the Data Protection Commission and/or other statutory bodies.

Q) COMPLAINTS TO THE DATA PROTECTION COMMISSION1) Data subjects may make a complaint to the Data Protection Commissioner in the following circumstances:

a) If they experience a delay outside of the prescribed timeframe for making a decision on an access request or if they are dissatisfied with a decision by MRD on their access request;

b) If they consider that MRD’s processing of their personal data is contrary to their data protection rights. Detailed information on the rights of a data subject is contained in MRD’s Data Subject Rights Policy and Procedures document.

Search engine

Moylurg Rockingham DAC trades under the name of Lough Key Forest and Activity Park and operates the park as a commercial private entity. It is a joint venture between Coillte and Roscommon County Council who established the company Moylurg Rockingham DAC. The project was originally funded by the Irish Government and part-financed by the European Union under the National Development Plan's Tourism Product Development Scheme, which was administered by Fáilte Ireland. Since opening in May 2007 the company funds itself and is a sustainable company.